Re: algorithm used by (RIPE region) ISPs to generate automatic BGP prefix filters

[Max Tulyev]

Hi Martin,

well, not only as-set and route.

Assuming only legitimate owner of inetnum and aut-num have passwords for
mntner from that objects can modify their RIPE DB objects and can create
routes.

So to create a route object, you have to have access for inetnum and
aut-num objects (that can be different passwords and owners in general).

Then, you state in your aut-num import and export to some upstream. To
do that, you have to use your password, of course.

Then, your upstream modifying it's aut-num stating import your asn from
you and export your asn to it's upstream... and so on.

So it is possible to provide full chain of trust inside RIPE region that
way.

As-sets is only the way to let manage a lot of downstreams' ASNs more easy.

Many of ISPs using it, there is some software like RETN made, to build
prefix list to your downstreams automatically. And it works.

There is three problems: first, it is only RIPE region specific. You
can't do that with ARIN nets for example. Second, it is RIPE-dependent.
So we depend on RIPE DB when do routing. In some cases it can make some
harm. Third, if someone steal or "recover" RIPE DB password from some
inetnum - he can easy do a hijack through system uses RIPE DB filtering.

On 04.02.16 13:14, Martin T wrote:
> Hi,
> 
> am I correct that ISPs (in RIPE region), who update their BGP prefix
> filters automatically, ask their IP transit customer or peering
> partner to provide their "route"/"route6" object(s) or "as-set" object
> in order to find all the prefixes which they should accept? If the IP
> transit customer or peering partner provides an "as-set", then ISP
> needs to ensure that this "as-set" belongs to this IP transit customer
> or peering partner because there is no automatic authentication for
> this, i.e. anybody can create an "as-set" object to database with
> random "members" attributes? This is opposite to "route"/"route6"
> objects which follow a strict authentication scheme. In addition, in
> case of "as-set", an ISP needs to recursively find all the AS numbers
> from "members" attributes because "as-set" can include other
> "as-sets"? Quite a lot of question, but I would simply like to be sure
> that I understand this correctly.
> 
> 
> thanks,
> Martin
> 

Re: algorithm used by (RIPE region) ISPs to generate automatic BGP prefix filters

[Henrik Thostrup Jensen]

Hi Martin

On Thu, 4 Feb 2016, Martin T wrote:


am I correct that ISPs (in RIPE region), who update their BGP prefix
filters automatically, ask their IP transit customer or peering
partner to provide their "route"/"route6" object(s) or "as-set" object
in order to find all the prefixes which they should accept?


This is a common practice to do. Both within and outside the RIPE region. 
For bigger networks, prefix lists become somewhat unwieldy, and one can 
then use as-path filters instead. Use a prefix limit with this.


Typically you use a tool (bgpq3) to generate the prefix lists.

If the IP transit customer or peering partner provides an "as-set", then 
ISP needs to ensure that this "as-set" belongs to this IP transit 
customer or peering partner because there is no automatic authentication 
for this, i.e. anybody can create an "as-set" object to database with 
random "members" attributes?


I don't know the procedure for creating as-sets, maybe someone else can 
chip in.


This is opposite to "route"/"route6" objects which follow a strict 
authentication scheme.


I believe this differs depending on the irrd software/operator.

In addition, in case of "as-set", an ISP needs to recursively find all 
the AS numbers from "members" attributes because "as-set" can include 
other "as-sets"?


Some irrd servers, can expand this automatically (I think). But seriously, 
use a tool for this.


Quite a lot of question, but I would simply like to be sure that I 
understand this correctly.


There are basically two abstractions:

1. as-set. Can contain other as-sets or as numbers.
2. prefixes are registered to an as-number.

Remember that there are multiple IRR servers, and they mirror each other.

Use http://irrexplorer.nlnog.net/ to play around a bit :-).


Best regards, Henrik

 Henrik Thostrup Jensen 
 Software Developer, NORDUnet

algorithm used by (RIPE region) ISPs to generate automatic BGP prefix filters

[Martin T]

Hi,

am I correct that ISPs (in RIPE region), who update their BGP prefix
filters automatically, ask their IP transit customer or peering
partner to provide their "route"/"route6" object(s) or "as-set" object
in order to find all the prefixes which they should accept? If the IP
transit customer or peering partner provides an "as-set", then ISP
needs to ensure that this "as-set" belongs to this IP transit customer
or peering partner because there is no automatic authentication for
this, i.e. anybody can create an "as-set" object to database with
random "members" attributes? This is opposite to "route"/"route6"
objects which follow a strict authentication scheme. In addition, in
case of "as-set", an ISP needs to recursively find all the AS numbers
from "members" attributes because "as-set" can include other
"as-sets"? Quite a lot of question, but I would simply like to be sure
that I understand this correctly.


thanks,
Martin

Re: algorithm used by (RIPE region) ISPs to generate automatic BGP prefix filters

[Pavel Odintsov]

Hello!

You could check awesome project for this purposes:
http://www.stableit.ru/2015/06/generate-bgp-filters-with-bgpq3.html
It's authored by Russian carrier RETN.net.

On Thu, Feb 4, 2016 at 2:58 PM, Henrik Thostrup Jensen  wrote:
> Hi Martin
>
> On Thu, 4 Feb 2016, Martin T wrote:
>
>> am I correct that ISPs (in RIPE region), who update their BGP prefix
>> filters automatically, ask their IP transit customer or peering
>> partner to provide their "route"/"route6" object(s) or "as-set" object
>> in order to find all the prefixes which they should accept?
>
>
> This is a common practice to do. Both within and outside the RIPE region.
> For bigger networks, prefix lists become somewhat unwieldy, and one can then
> use as-path filters instead. Use a prefix limit with this.
>
> Typically you use a tool (bgpq3) to generate the prefix lists.
>
>> If the IP transit customer or peering partner provides an "as-set", then
>> ISP needs to ensure that this "as-set" belongs to this IP transit customer
>> or peering partner because there is no automatic authentication for this,
>> i.e. anybody can create an "as-set" object to database with random "members"
>> attributes?
>
>
> I don't know the procedure for creating as-sets, maybe someone else can chip
> in.
>
>> This is opposite to "route"/"route6" objects which follow a strict
>> authentication scheme.
>
>
> I believe this differs depending on the irrd software/operator.
>
>> In addition, in case of "as-set", an ISP needs to recursively find all the
>> AS numbers from "members" attributes because "as-set" can include other
>> "as-sets"?
>
>
> Some irrd servers, can expand this automatically (I think). But seriously,
> use a tool for this.
>
>> Quite a lot of question, but I would simply like to be sure that I
>> understand this correctly.
>
>
> There are basically two abstractions:
>
> 1. as-set. Can contain other as-sets or as numbers.
> 2. prefixes are registered to an as-number.
>
> Remember that there are multiple IRR servers, and they mirror each other.
>
> Use http://irrexplorer.nlnog.net/ to play around a bit :-).
>
>
> Best regards, Henrik
>
>  Henrik Thostrup Jensen 
>  Software Developer, NORDUnet
>
>



-- 
Sincerely yours, Pavel Odintsov

Re: algorithm used by (RIPE region) ISPs to generate automatic BGP prefix filters

[Jared Mauch]

> On Feb 4, 2016, at 6:58 AM, Henrik Thostrup Jensen  wrote:
> 
>> In addition, in case of "as-set", an ISP needs to recursively find all the 
>> AS numbers from "members" attributes because "as-set" can include other 
>> "as-sets"?
> 
> Some irrd servers, can expand this automatically (I think). But seriously, 
> use a tool for this.
> 
>> Quite a lot of question, but I would simply like to be sure that I 
>> understand this correctly.
> 
> There are basically two abstractions:
> 
> 1. as-set. Can contain other as-sets or as numbers.
> 2. prefixes are registered to an as-number.
> 
> Remember that there are multiple IRR servers, and they mirror each other.
> 
> Use http://irrexplorer.nlnog.net/ to play around a bit :-).
> 

Yes.  We record the customer ASN and the AS-SET for each AFI (v4|v6) and expand 
these and push updated lists to devices daily or on demand based on customer 
need.

You should be able to build off any of the mirrored IRRds out there as they all 
mirror each other, often with minimal lag (5-30 minutes).

The days of fetching via FTP once a day are long gone and a relic of the past.

I recommend using AS-PATH combined with prefix filters to keep your pants on.  
Rejecting things like networks you may get transit from from customers, and 
peers helps avoid feeding my route leak system. 
http://puck.nether.net/bgp/leakinfo.cgi

You should also not be using any IOS devices for BGP as documented in 
CSCuq14541 where they leak the full table.

- Jared

Re: algorithm used by (RIPE region) ISPs to generate automatic BGP prefix filters

[Randy Bush]

> We record the customer ASN and the AS-SET for each AFI (v4|v6) and
> expand these and push updated lists to devices daily or on demand
> based on customer need.

do you trust the state of the acl on the router and only send a delta,
or do you send the whole acl?

randy

Re: algorithm used by (RIPE region) ISPs to generate automatic BGP prefix filters

[Paul Thornton]

On 04/02/2016 11:14, Martin T wrote:

Hi,

am I correct that ISPs (in RIPE region), who update their BGP prefix
filters automatically, ask their IP transit customer or peering
partner to provide their "route"/"route6" object(s) or "as-set" object
in order to find all the prefixes which they should accept? If the IP
transit customer or peering partner provides an "as-set", then ISP
needs to ensure that this "as-set" belongs to this IP transit customer
or peering partner because there is no automatic authentication for
this, i.e. anybody can create an "as-set" object to database with
random "members" attributes? This is opposite to "route"/"route6"
objects which follow a strict authentication scheme. In addition, in
case of "as-set", an ISP needs to recursively find all the AS numbers
from "members" attributes because "as-set" can include other
"as-sets"? Quite a lot of question, but I would simply like to be sure
that I understand this correctly.


Yes you do.  Typically, you'll tell the transit provider something like 
"We are AS23456 announcing AS-STUFF" at order time so they know what to 
look up.


What then happens is they have something that does the following as 
either a semi-automatic or fully automatic process:
1) Iterate through AS-STUFF to get a unique list of AS numbers that are 
involved.
2) Go through this list of ASes, doing an inverse lookup of route or 
route6 objects with an origin of those ASes.

3) Create filter list from the above list.

The route/route6 objects actually have very weak authentication for 
out-of-RIPE-region prefixes.


For example, if I want to add a route object for ARIN prefix originating 
from my RIPE-region AS, there is a dummy maintainer to make this 
possible.  This is currently subject to somewhat of a debate on the 
mailing lists because of the obvious abuse vector, and there are cases 
where this has been used to help "legitimise" address space hijacks.


Unfortunately it is hard to simultaneously allow legitimate 
unauthenticated use without allowing abusive route objects.  Which is 
why there is a lot of head-scratching here; I don't have an answer to 
that one.


Paul.

Re: algorithm used by (RIPE region) ISPs to generate automatic BGP prefix filters

[Jared Mauch]

On Thu, Feb 04, 2016 at 05:52:54PM +0100, Randy Bush wrote:
> >>> We record the customer ASN and the AS-SET for each AFI (v4|v6) and
> >>> expand these and push updated lists to devices daily or on demand
> >>> based on customer need.
> >> 
> >> do you trust the state of the acl on the router and only send a delta,
> >> or do you send the whole acl?
> > 
> > We send the whole ACL.
> > 
> > (infact, we send the full router config each time).
> 
> i bet that scales well.  though i would not trust the router either.

it works well enough, software bugs aside.  much better than
wondering what state a device is in.  our customer migration team
was able to use this toolization to move over 200 discrete interfaces
in one night without error recently.

having the proper tooling and inventory of customers is
key here.  when turning up the first few customers, i get having
a manual process but the ROI on automation is well worth it.

there's many variations of this graphic out there but
it's important when justifying why you have a network engineer
who can also code and do more than one thing:

http://www.geeksaresexy.net/2012/01/05/geeks-vs-non-geeks-picture/

there's also this related item, you do have to maintain it:

https://xkcd.com/1319/

if you avoid feature creep the tools can be done properly.  I've
seen many a project delayed by someone trying to wedge something
in, or alter a schema from one that works to one that is more
technically pure and make it harder to do work.

you must also have the culture that works with the tools, it can't
be the one tool that $powerUser operates, it has to be part
of the busines process.

- Jared

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

Re: algorithm used by (RIPE region) ISPs to generate automatic BGP prefix filters

[Randy Bush]

>>> We record the customer ASN and the AS-SET for each AFI (v4|v6) and
>>> expand these and push updated lists to devices daily or on demand
>>> based on customer need.
>> 
>> do you trust the state of the acl on the router and only send a delta,
>> or do you send the whole acl?
> 
> We send the whole ACL.
> 
> (infact, we send the full router config each time).

i bet that scales well.  though i would not trust the router either.

randy

Re: algorithm used by (RIPE region) ISPs to generate automatic BGP prefix filters

[Jared Mauch]

On Thu, Feb 04, 2016 at 05:40:36PM +0100, Randy Bush wrote:
> > We record the customer ASN and the AS-SET for each AFI (v4|v6) and
> > expand these and push updated lists to devices daily or on demand
> > based on customer need.
> 
> do you trust the state of the acl on the router and only send a delta,
> or do you send the whole acl?

We send the whole ACL.

(infact, we send the full router config each time).

- Jared


-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.